1:1 NAT doesn't necessarily mean the connection is bi-directional, but I agree
with what your question implies. I'd rather deal with the public addresses at
the firewall rather than the public+NAT'd addresses (especially in a Zero Trust
Network model). It also removes the need for internal vs external DNS
(except, maybe, to hide system names). I don't guarantee a 1:1 NAT, but we try
to keep that ratio very low for troubleshooting/tracing/identification purposes
.. except for gaming consoles. For those, I'd recommend a 1:1 or just dole out
public addresses!
-Brian
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chuck Anderson [c...@wpi.edu]
Sent: Monday, February 23, 2015 3:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] NAT tracking question
If you have 1 public IP address reserved for each individual user, why
do you need to do NAT at all? This is a serious question--if you
aren't saving public IPs by doing 1:many NAT, why do NAT at all?
Thanks.
On Mon, Feb 23, 2015 at 11:33:45AM -0500, Norman Elton wrote:
> We play tricks with our ISC DHCP server and a pair of F5 LTMs (similar
> to the A10 gear). The DHCP server hands out predetermined private IP
> addresses to devices as soon as we determine ownership (through our
> NAC). For outbound traffic, the F5 uses this private IP address to NAT
> to a public IP address that is reserved for the individual user. The
> end result is that no matter where the device is on campus, we know
> that 128.239.x.y is something owned by Joe Smith. If we need to know
> exactly which device, we consult our flow logs. But at least we're 99%
> confident we're dealing with the right student.
>
> I'm happy to share the gory details if someone wants to wrap their
> head around it.
>
> Norman Elton
> College of William & Mary
>
>
>
> On Mon, Feb 23, 2015 at 10:30 AM, Danny Eaton wrote:
> > We've got our Juniper SRX 5800 doing our NAT for all wireless, plus all
> > students and visitors (wired or wireless).
> >
> > We send those logs (and the SRX is VERY CHATTY about NAT) to our Splunk
> > server for the tying together of date/time, public IP and private IP - in
> > the event we get a notice from some TLA.
> >
> > -Original Message-
> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Heath Barnhart
> > Sent: Monday, February 23, 2015 9:12 AM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] NAT tracking question
> >
> > We use a Sonicwall E8500 for NAT, it will log all NAT translations and send
> > them as syslog to a server for storage. I have logrotate changing files
> > every hour to make it easier to search on.
> > --
> > Heath Barnhart
> > ITS Network Administrator
> > Washburn University
> > Topeka, KS
> >
> >
> > On Wed, 2015-01-14 at 14:49 -0500, Jerry Bucklaew wrote:
> >> To ALL:
> >>
> >> We have a large Cisco wireless deployment with public ip address
> >> space. Getting more public IP's is getting difficult so we are
> >> considering going to NAT. The issue we have with NAT is that we still
> >> want to be able to map an outside IP back to a individual user. Once
> >> you go to NAT that of course becomes more difficult to do. I know a
> >> lot of you are probably already doing this and I was wondering how and
> >> what products do you use? I assume most have a one to many NAT and then
> >> use something like a netflow collector to to track the inside NAT IP to
> >> the outside Src-IP/DST-IP/Port/Time. Any good working solutions or
> >> products would be helpful.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.